WE ARE living in an era that some refer to as the “Internet of Things” (“IoT”), where wireless connected devices know how we work, play, shop, sleep, drive, manage our homes, and medicate. IoT is a concept that represents the network of smart devices (or “things”) that are connected to the Internet and to each other and have the ability to collect and exchange data on every aspect of our lives and businesses.1 “Though there is no specific definition of IoT, the concept focuses on how computers, sensors, and objects interact with each other and collect information relating to their surroundings.”2 The connected devices operate on embedded sensors that automatically measure and transfer data (i.e., environmental and activity information) over a network to data stores without human interaction.3 These data stores interact with analytic engines to collect and provide data that can be acted upon.4

Among connected devices are devices that allow for the remote monitoring of babies and children; devices to help you to remember to take your medications; devices to track your activity levels; devices to help monitor an aging family member; medical devices that allow your health to be monitored by your doctor and that automatically release proper levels of medication; devices that allow you to remotely monitor your home; devices that allow you to turn off appliances or change the temperature in your home; devices that allow you to feed and water your plants and pets; and refrigerators that remind you when you are out of eggs. There are smart TVs and toys. There are devices that allow cities and governments to monitor trash pick-up, traffic flows, pollution levels, electricity usage, and the structural soundness of buildings and roads. There are devices that allow companies to monitor the repair and maintenance needs of equipment and track real time marketing trends in stores. This list of IoT devices is in no way complete, and it grows longer every day.

In 2009, the number of IoT devices surpassed the number of people,5 yet, the development and use of connected devices is really just in its infancy. By 2020, it is estimated that there could be 50 billion connected devices.6 By way of example, only 10% of consumer cars were connected to the Internet in 2009, but in 2020, 90% of consumer cars will be connected.7 “All of these connected machines mean much more data will be generated: globally, by 2018, mobile data traffic will exceed fifteen exabytes – about 15 quintillion bytes – each month. By comparison, according to one estimate, an exabyte of storage could contain 50,000 years’ worth of DVD-quality video.”8

Certainly, IoT devices can provide many benefits to consumers – convenience, home safety, medical monitoring, and reduced energy waste are a few examples. These benefits help explain IoT’s rapid growth. But, these devices create both security and privacy risks.

IoT devices can be hacked and controlled by third-parties. For example, imagine if the software system for the electronic thermostat in your home is hacked and turned off. Your home is damaged as a result of frozen pipes and/or water damage. Or, imagine if your home security system is hacked and disconnected. Your home is then vandalized and robbed.9 Or, what if your doctor’s medical monitoring equipment software is hacked? Your medical device doesn’t release the medicine you need to survive. Or, what if your implanted defibrillator has been reprogrammed by an unauthorized user?

There are also privacy risks related to IoT devices. The devices collect, transmit, and store consumer data, some of which is highly personal. If they are hacked, your private personal information could be shared, sold, and used. Private conversations could be exposed. Your private life is now no longer private.

Beyond these security and privacy risks, a device may also simply malfunction. A remotely operated device might fail and cause property damage such as fire or water damage. A home security device might leave doors or windows open, allowing intrusions or burglaries. Or, a medical device may fail to provide crucial medication to a patient or information to a doctor, causing serious injury or even death.

II. Can Product Liability Law Keep Up in the IoT Era?

If an IoT device is hacked and/or malfunctions, there will be new challenges with regard to product liability law. Traditional notions of product liability law provide that a product manufacturer, component part supplier, or seller (and others who make products available to the public) are to be held liable if they put a defective product into a consumer’s hands and the defect causes personal injury or property damage. A consumer can sometimes be liable for mishandling or misusing a product as well. Product liability claims are based on state laws and brought under negligence, strict liability, or breach of warranty theories.10 With an IoT device, however, these traditional notions will be challenged. What product liability law will look like in 2020 is an unknown. Today, unfortunately, there are more questions than answers.

For example, how are damages related to privacy issues to be compensated? What if there is a security breach and private information is obtained and even shared but not used. How do you quantify those damages? Damages related to privacy issues are intangible and hard to quantify. These types of damages also create legal questions of standing.

In addition, how do you allocate responsibility for damages? Does legal fault lie with the hacker, with the manufacturer, or with the owner who may have failed to properly secure the product (i.e., by using a sufficiently strong password or by timely updating the software)? If there is a software failure versus an actual defect in the product, should the maker of a product be held liable for the software failure? What if the manufacturer of the product or the software failed to include sufficient security designs? What about component part liability? Traditional product liability law holds that defective component part manufacturers can be held liable. Is software a component part?

Are there contracts between the software company and product manufacturer that allocate the risk of a potential hack and resulting damages between them? Are those contracts specific to the product and negotiated at arm’s length? Was the consumer compelled to sign a standard form agreement that automatically waived claims in order to use the software that accompanied the product?

What about insurance? Will traditional insurance policies, which generally cover losses that result in property damage or bodily injury resulting from a product defect, apply when an IoT product failure occurs? Will insurers begin to redesign their policies to provide specifically designed coverage to prevent any potential gaps in coverage?

At trial, what standards can be used to suggest an IoT’s alleged design, manufacturing, or other flaws fell below a minimum acceptable level? There are some developing standards relating to IoT but nothing that is considered universally acceptable. For example, the Institute of Electrical and Electronics Engineers (“IEEE”) has a “Standard for an Architectural Framework for the Internet of Things (IoT),”11 the International Organization for Standardization (“IOS”) and the International Electrotechnical Commission (“IEC”) have a family of standards for security management systems,12 and the International Telecommunications Unit (“ITU”) has an Internet of Things Global Standards Initiative.13 The United States Federal Trade Commission is taking a serious look at what kind of regulations are needed for personal and home devices that collect and transmit user data14 and, at the end of 2016, the U.S. Food and Drug Administration issued final guidance regarding the need for post market management of cybersecurity in medical devices.15 IoT is so broad and complex that no single standards organization has the possibility of being the one entity to pull it all together. How will liability be judged at trial if there is no minimum set of safety precautions or requirements?

If a product has vulnerabilities that allow it to be hacked, can a consumer allege the device was defective due to insufficient security controls or a failure of the manufacture to warn of dangers it knew of regarding the device’s configuration? And, has the consumer waived any rights regarding the software pursuant to any licensing agreement that was provided with the product?

Who has custody, ownership, and control over the data collected? Does the consumer own the data even though the data is maintained by someone else? Will there be chain of custody issues with regard to the data collected?

Software in connected devices will also impact discovery and investigation in IoT cases. There will be an added layer of complexity to any investigation with regard to what happened. In addition, the discovery process in IoT litigation could implicate privacy concerns. Plaintiffs may have to turn over the devices or tablets from which they operate a connected product that is the subject of the lawsuit. The devices may be helpful in determining if appropriate software updates occurred to allow the connected device to function properly or if a hack occurred. The information may help provide evidence of negligence on the part of the consumer or perhaps that of a hacker whose hack makes the product cause damage. Notwithstanding the arguable need for discovery of information on personal devices, plaintiffs may be reluctant to turn over devices that contain personal data.

Finally, even a small glitch in a network can impact hundreds or thousands or millions of products. This is a perfect formula for product liability no-injury class action litigation. Below, this article provides examples of cases that are already beginning to touch upon many of these issues.

III. IoT Device Cases

There have been cases involving IoT connected devices, but instead of litigating product liability issues, the issue of standing (lack of actual harm) is the prevalent theme in these cases.16

In Cahen v. Toyota Motor Corp.,17 Cahen filed an over 300-page national class action against Toyota, Ford, and General Motors. Cahen alleged, among other things, that these car manufacturers equipped their vehicles with computer technology that is vulnerable to hacking. Plaintiffs alleged that a hacker can communicate remotely (through Bluetooth or cellphone) with computers controlling many of the vehicles’ functions, resulting in a complete loss of driver control over steering, accelerating, and braking. Plaintiffs claimed that the manufacturers were aware of these security issues but nevertheless advertised their products as safe. As such, plaintiffs asserted that the auto companies breached, among other things, the implied warranty of merchantability and contract/ common law warranty and committed fraud.

The auto companies moved to dismiss on various grounds, including lack of standing. The defendants argued “plaintiffs do not allege any hacking incidents that have taken place outside of controlled settings, and that the entire threat rests on the speculative premise that a sophisticated third-party cyber- criminal may one day successfully hack one of plaintiffs’ vehicles.” Citing traditional automobile product liability cases, the court agreed with defendants, determining that the potential risk of future hacking was not an injury in fact. Nor was the court persuaded that standing could be supplied because of a “benefit of the bargain theory,” holding: “The plaintiffs have not, for example, alleged a demonstrable effect on the market for their specific vehicles based on documented recalls or declining Kelley Bluebook values.”18 The case was dismissed. Plaintiffs have appealed the dismissal to the Ninth Circuit, however.

In another suit against Chrysler Group,19 plaintiffs alleged that a security flaw in “infotainment” centers manufactured by co-defendant Harman International Industries was installed in certain vehicles. Plaintiffs alleged the “infotainment” center is “exceedingly hackable,” permits hackers to “remotely take control” of the steering, acceleration, and braking, and lacks the ability to quickly and effectively patch any software security flaws. The complaint alleges negligence, fraud, and breach of warranties.

Following defendants’ motion to dismiss on, among other grounds, the speculative nature of the damages, the court dismissed certain claims and trimmed others. According to the court, plaintiffs lacked standing to seek damages for the threat of future hacking. But, the court found plaintiffs did have standing to sue for damages for the diminished value of the car because “the ongoing vulnerabilities have reduced the market value of their vehicles.”20

Cardiac devices, such as pacemakers and defibrillators, were the subject of Ross v. St. Jude Medical Inc.21The devices at issue include an in-home monitoring system and use radio frequency wireless technology. The technology allows the implanted devices to be monitored remotely. The plaintiff filed a proposed class action alleging that the system lacked the “most basic security defenses.” The plaintiff was not physically injured in any way but he claimed that the devices could be disabled or their batteries drained if they are hacked. Plaintiff voluntarily dismissed the case, without prejudice, in December 2016.

In Baker v. ADT Corp.,22 plaintiff filed a class action alleging that ADT’s wireless security and monitoring equipment could be remotely turned on or off using technology accessible to the public. In addition, plaintiff claimed that third parties “can also hack into ADT’s wireless systems and use customers’ own security cameras to unknowingly spy on them.”

Plaintiff in Baker alleged that his system was hacked at least twice by an unauthorized third party, which “caused the system to be falsely triggered, which in turn caused ADT to contact Plaintiff and have the police called to Plaintiff’s home.”23 But rather than quantify any particular harm that flowed from those “false alarms,” plaintiff’s allegations focused instead on several of ADT’s marketing statements, including that ADT’s monitoring centers were “equipped with secure communication links.” His suit alleged violations of the Florida and Illinois consumer fraud statutes and claims for strict product liability and unjust enrichment.

Although the claims for strict product liability and unjust enrichment were ultimately dismissed, the case continues with consumer fraud claims based on the “secure communication links” representations in ADT’s advertising.

In re VTech Data Breach Litigation24 involved a manufacturer of children’s learning toys that link to certain web-based services. The complaint alleges that in November 2015, an overseas hacker illegally bypassed VTech’s security measures, obtained customer data, such as profile pictures, emails, passwords and nicknames, and provided the data to a journalist. The hacker was arrested shortly thereafter.

According to the complaint, the journalist who broke the story wrote: “[VTech] left thousands of pictures of parents and kids and a year’s worth of chat logs stored online in a way easily accessible to hackers.” The plaintiffs alleged, among other things, an increased risk of harm and diminished value of the products. They asserted claims for breach of contract, breach of the warranty of merchantability, and violations of state consumer protection laws.

In April 2016, the defendants filed a motion to dismiss alleging that the plaintiffs suffered no actual injury, as the plaintiffs did not plead that the data traveled beyond the hacker, the journalist, and a security analyst, and, as such, that plaintiffs lacked standing. The defense argued that there can be no liability for a hacker who neither intends nor accomplishes any harm beyond pointing out the vulnerability in the toy’s software system. The defendants’ motion to dismiss is still pending.

Another “connected” toy that resulted in litigation is “Hello Barbie.”25 Plaintiffs alleged negligence, unfair competition, and privacy violations against the doll’s manufacturer, Mattel Inc., and ToyTalk Inc., which managed the toy’s online technology. Plaintiffs alleged the doll was designed to engage in conversation with a child, record each conversation, and collect and store the recordings in the cloud. The complaint alleged that security issues had been discovered, including a vulnerability through which a hacker could “impersonate a doll in order to lure an unsuspecting user into connecting to and supply[ing] user information to an impersonated doll.” There was no allegation of actual malicious hacking of the accounts or misuse of the information in the manner identified that caused direct harm to plaintiffs.

The defendants removed to federal court26 and filed motions to dismiss based on standing and other grounds, and also moved to compel arbitration. The court never ruled on the motions because plaintiffs agreed to dismiss the case with prejudice.

IV. Conclusion

Given the predictions regarding the number of IoT devices expected to exist in 2020 and the amount of data traffic expected to be created, the number of consumer claims will only continue to grow. Traditional product liability theories will need to be examined and re-examined in this new era. The IoT has not only changed and will continue to change the way we live … it will change how we think about security, privacy, and traditional notions of product liability law. In time, we will learn if product liability laws can keep up.

See Embedded Intelligence – Connecting Billions of Smart Sensors into the Internet of Things, Arm Holdings, available at https://perma.cc/3HWX-QBWW (last visited May 11, 2017); see also Daniel Burrus, The Internet of Things is Far Bigger Than Anyone Realizes, https://www.wired. com/insights/2014/11/the-internet-of-things-bigger (last visited May 11, 2017).

Burrus, supra note 3.

See Dave Evans, The Internet of Things: How the Next Evolution of The Internet is Changing Everything at 3, Cisco Internet Bus. Solutions Grp. (April 2011), available at https://perma.cc/HDF9-NM6T. These are estimates for all types of connected devices, not just consumer market devices.

Id. IDC’s Digital Universe study reports that by 2020, there will be 200 to 300 billion connected IoT objects. See, The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, EMC2 (April 2014), available at https://perma.cc/86RJ-786G; see also Data Set to Grow 10-fold by 2020 as Internet of Things Takes Off, Computerweekly.com (April 2014), http://www.computer weekly.com/news/2240217788/Data-set-to-grow-10-fold-by-2020-as-internet-of-things-takes-off, archived at https://perma. cc/KGW9-K7DF.

Postmarket Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff, U.S. Food & Drug Administration, December 28, 2016, available at https://www. fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm482022.pdf.

“Actual or imminent” injury—not just “conjectural or hypothetical” harm— is the “irreducible minimum” of all lawsuits under the Constitution. Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992). (Scalia, J.) “No principle is more fundamental to the judiciary’s proper role in our system of government.” DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 341 (2006) (Ginsburg, J.).

In McMillin Mgmt. Servs. v. Financial Pacific Ins. Co., Cal.Ct.App. (4th Dist.), Docket No. D069814 (filed 11/14/17), the California Court of Appeal held that the term “liability arising out of,” as used in an ongoing operations endorsement, does not require that the named insured’s liability arise while it is performing work on a construction project.

In the McMillin case, the general contractor and developer (McMillin) contracted with various subcontractors, including a concrete subcontractor and stucco subcontractor insured by Lexington Insurance Company. Both subcontractors performed their work at the project prior to the sale of the units.

The Lexington policies contained substantively identical additional insured endorsements that provided coverage to McMillin “for liability arising out of your [the named insured subcontractor’s] ongoing operations performed for [McMillin].” Several homeowners filed suit against McMillin, alleging that they had discovered various defective conditions arising out of the construction of their homes, including defects arising out of the work performed by Lexington’s insureds. Lexington argued that there was no potential for coverage in McMillin’s favor under the endorsements because there were no homeowners during the time that the subcontractors’ operations were performing work at the project (the homes closed escrow after the subcontractors had completed their work); thus, McMillin did not have any liability for property damage that took place while the subcontractors’ operations were ongoing.

The court rejected Lexington’s argument, noting that the endorsements stated that Lexington would provide coverage to McMillin for liability “arising out of” ongoing operations, and that the term “arising out of” is not synonymous with “during.” The court opined that “arising out of” required only a “minimal causal connection or incidental relationship” between McMillin’s liability and the subcontractors’ ongoing operations, and that the lack of homeowners during the subcontractors’ ongoing operations did not rule out the possibility that McMillin could suffer liability arising out of the subcontractors’ ongoing operations. The court also held that Lexington failed to establish that all of the damage occurred after the ongoing operations were completed; and that under the plain language of the endorsements, if property damage occurred before the ongoing operations were completed, the additional insured was entitled to coverage.

McMillin is another example of the recent trend by the California Court of Appeal in expanding the scope of coverage under ongoing operations endorsements in favor of developers and general contractors, as evidenced by the court’s August 2017 ruling in Pulte Home Corp. v. American Safety Indemnity Co., 14 Cal.App.5th 1086 (2017). Nevertheless, developers and general contractors would be well-advised to carefully review additional insured endorsements to confirm that the language of the endorsements is consistent with their expectations of coverage and contain no language that requires the named insured’s liability to arise during the course of the named insured’s ongoing operations as a prerequisite to coverage.

In the case of CH2M Hill Engineers, Inc. v. Springer, et al., the Court of Appeals of Texas, Ninth District, sitting in Beaumont, decided an interlocutory appeals brought by the Appellant CH2M Hill Engineers, Inc. The Court of Appeals concluded that the “trial court did not abuse its discretion when it denied CH2M’s motion to dismiss” based upon the evidence before it, and affirmed the trial court’s order. The Court of Appeals noted that

While the record contains evidence that CH2M is registered with the Texas Board of Professional Engineers, the record does not contain any evidence that a licensed or registered professional practices within CH2M. Scott Neeley, Senior Designated Manager, signed the agreement between CH2M Hill and the Appellees. Mr. Neeley has not been shown to be a ‘licensed or registered professional,’ nor did he sign the contract as such. Moreover, the report is not signed by a licensed or registered engineer, but only issued by ‘CH2M Hill.’ CH2M has not proven, or even identified a single licensed professional engineer who performed professional engineering services for the firm.

We conclude CH2M has failed to meet its burden of proof to show an abuse of discretion by the trial court.

The Appellant was engaged by the City of Beaumont to evaluate the City’s water distribution and sewer collection service, and submitted a report very critical of the service and some of its employees. After receiving the report, the City demoted, discharged and terminated several employees. These employees later filed this lawsuit against CH2M Hill seeking damages for defamation, tortious interference with a contract and other claims.

The Appellant then filed a motion to dismiss the lawsuit because the plaintiffs failed to timely file a “certificate of merit,” as required by the Texas Civil Practice and Remedies Code, which applies to any action for damages arising out of the provision of professional services by a licensed or registered professional. The plaintiffs then pointed out to the court that while CH2M Hill itself is registered with the Texas Board of Professional Engineers, there is no evidence in the record of “a single licensed professional engineer who has performed engineering services for the firm.” After a hearing, the trial court denied CH2M’s motion, and CH2M consequently filed an interlocutory appeal, arguing that the trial court abused its discretion in denying CH2M’s motion to dismiss.

Because no licensed or registered professionals were identified, not certificate of merit was required. As a result, the Court of Appeals concluded that the trial court did not abuse its discretion when it denied CH2M’s motion to dismiss.

We have noted, again and again, examples of disappointed Additional Insureds. Today we report that at least one Additional Insured has left the Courthouse smiling. It was, however, to paraphrase Wellington, a near-run thing.

The case is Pekin Ins. Co. v. Ledcor Constr., Inc., 2017 IL App (1st) 162623-U. The set up was this:

Pekin issued a CGL insurance policy to Procaccio, as named insured; Ledcor was an additional insured. Pursuant to a policy endorsement, Ledcor was covered only with respect to vicarious liability for bodily injury imputed from Procaccio to Ledcor as a proximate result of Procaccio’s ongoing operations performed for Ledcor during the policy period. The endorsement specifically excluded coverage for Ledcor for bodily injury liability arising out of or in any way attributable to the claimed negligence of Ledcor, other than vicarious liability imputed to Ledcor solely by virtue of the acts or omissions of Procaccio.

Pekin, 2017 IL App (1st) 162623-U, ¶ 5.

On the job site, a worker tripped over a tool belt and was injured. He sued, among others, Ledcor, the Additional Insured. The Complaint alleged that Ledcor was itself negligent. It also alleged that Procaccio was negligent. But unfortunately for Ledcor, it did not — at least expressly — allege that Ledcor was vicariously liable for Procaccio’s negligence.

The Court nevertheless found a duty to defend:

The Gregory complaint alleges, in part, that Ledcor, “by and through its agents, servants and employees,” was guilty of various acts and/or omissions. Reviewing the complaint as a whole, it is possible that Procaccio—a co-defendant of Ledcor—is one of the responsible agents, servants, or employees. Like the court in Centex Homes, we decline to parse the underlying complaint for allegations of a specific amount or type of control by Ledcor over Procaccio.

Pekin, 2017 IL App (1st) 162623-U, ¶22.

A win is a win, of course. But considering what it must have cost the Additional Insured in attorney’s fees, one is again reminded of Wellington: “Believe me, nothing except a battle lost can be half so melancholy as a battle won. . . .” Had our Additional Insured insisted on less restrictive Additional Insured language to begin with, a battle might not have been necessary.

The title of this post may seem obvious. Of course you need to name the right people. “Why even write about this?” you may ask yourself. The answer to this question is that the list of all of the parties necessary to a successful lawsuit may not be so obvious.

One example is the case of a Virginia mechanic’s lien lawsuit. The obvious parties would be the contractor or subcontractor that owes the money and the owner of the property. However, you can’t stop there. The trustees to any deed of trust and the bank or other party that may hold a note on the property are necessary parties as well. Failure to name one of these necessary parties can lead to dismissal of your suit. This is why I always recommend a title search prior to any mechanic’s lien memorandum being recorded and an update prior to suit.

A recent case out of the Eastern District of Virginia Federal Court in Alexandria illustrates another case where the plaintiff did not correctly answer the “necessary party” question. In ADI Construction of Va. LLC v. Bordewick the court considered a design build contract and a claim on that contract. After settling much of the claim with certain parties, the Plaintiff, ADI, sought to recover the final amounts owed for its work from the authorized agents and representatives of the Owner named in the original contract, Executive Readiness, d/b/a Guardian 24/7. However, in filing its suit, it only named the agent and representative but failed to name Guardian.

The Court found that Guardian was a necessary party to the lawsuit under Fed. R. Civ. P. 19(a)(1)(B)(ii), reasoning:

On the one hand, plaintiff seeks to recover a portion of the money allegedly owed to it from defendants through the current lawsuit, a lawsuit which primarily relies on the assertion that Guardian is not a party to or liable under the Agreement and that defendants are instead. On the other hand, plaintiff already has accepted a settlement for a portion of the money allegedly owed to it from other defendants that are entities who work for or are otherwise connected to Guardian, a resolution of which is inconsistent with plaintiff’s current stance in this litigation.

The Court then dismissed the lawsuit because addition of Guardian would destroy its diversity jurisdiction and suggested that the Virginia state courts could handle the case.

While this final disposition did not end the matter, the failure to name Guardian and file in Virginia state court caused the loss of time and money on the part of the plaintiff. For this reason, involving an experienced construction lawyer in the process early on could have saved time and money by making sure that the correct parties were named from the beginning.

Disclaimer

This Blog/Website is made available by the expert or expert witness firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Webwite publisher. The Blog/Webwite should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.